As technology matures and produces new opportunities for human advancement, it also creates new threats and vulnerabilities. Today’s interconnected and interdependent systems heighten these risks because they increase the likelihood of a cyber-attack having cascading consequences across the country. The federal government plays a large role in cyber preparedness and cyber incident response, but as the frequency and severity of cyber-attacks continue to grow, the nation must decide the proper balance between all levels of government in the cyber mission space. This thesis argues that the nation should address this escalating threat by embracing cyber federalism—a bottom-up approach where state and local governments play a larger role in cybersecurity. Cyber federalism would allow the federal government to focus resources on significant cyber threats, while empowering state and local governments to manage their own cybersecurity needs.
The cyber threat has evolved from a localized problem impacting a small number of computers within isolated systems to a boundless danger for highly interconnected systems. This evolution forced the federal government to develop a range of policies aimed at improving cyber preparedness and cyber incident response. For example, Presidential Policy Directive (PPD) 41: United States Cyber Incident Coordination organizes the federal government’s cyber response efforts by clarifying the roles and responsibilities of all federal entities with a cyber mission. The federal government also utilizes several information sharing mechanisms—such as Information Sharing and Analysis Centers (ISAC), Information Sharing and Analysis Organizations (ISAO), and fusion centers—to improve collaboration with public and private sector partners. These policies and programs have helped the federal government improve their cyber capabilities, but the current cyber threat environment is too complex for the federal government to handle alone.
In many instances, state and local governments are the first line of defense, especially if the cyber incident affects public services or critical infrastructure. Unfortunately, most state and local governments still struggle to develop the cyber capabilities required to prepare for and respond to these cyber threats. In 2013, the Potomac Institute for Policy Studies developed the Cyber Readiness Index, which evaluates seven elements to gauge an entity’s cyber preparedness. These elements are: (1) strategy; (2) incident response; (3) cybercrime and law enforcement; (4) information sharing; (5) research and development, education, and capacity building; (6) commerce; and (7) defense. This thesis evaluates state and local cyber capabilities by examining their maturity in these seven categories and highlighting best practices from states that have found proficiency in these areas.
This thesis also examines the legal constructs that shape the debate between federalism and a strong central government. For example, the Necessary and Proper Clause grants the federal government significant power to enact laws and the Supremacy Clause prevents states from enforcing any laws that conflict with federal statutes. However, these constitutional provisions are counterbalanced by the 10th Amendment, which strengthens state sovereignty by granting states all powers to govern that are not reserved for the federal government. Together, these principles guide the jurisdictional balancing act among the various levels of government and provide a legal framework for each government’s underlying authorities. Tension over authority also exists in several homeland security missions, such as law enforcement and emergency services, because multiple levels of government play a role, but the nation has mitigated this strain by clarifying jurisdictional boundaries. Moving forward, state and local governments can learn from these examples as they examine their role in the cyber mission.
Ultimately, this thesis concludes that the growing cyber threat is too complex and expansive for the federal government to handle alone so state and local governments must develop the cyber capabilities necessary to play a larger role. It recommends three courses of action to strengthen state and local cyber capabilities and to empower these governments in the cyber mission space. First, the nation should develop a legal framework to improve jurisdictional boundaries across all levels of government. Second, the nation should prioritize cyber investments at the state and local level. Third, state and local governments, in collaboration with the federal government, should improve cyber education at all grade levels. Overall, if the nation wants to maintain its reputation as a world leader in the cyber community and improve its cyber posture, it must embrace a bottom-up approach that gives state and local governments a more significant role in cybersecurity. Cyber federalism would make the nation more adaptable and dynamic when protecting against rapidly evolving cyber threats, which improves the security of the nation as a whole.
Hathaway, Melissa. Cyber Readiness Index 2.0. Potomac Institute for Policy Studies. November 2015. http://www.belfercenter.org/sites/default/files/files/publication/cyber-readiness-index-2.0-web-2016.pdf.
U.S. Constitution. amend. X.
——. art. I, § 8.
——. art. VI, § 2.
 Melissa Hathaway, Cyber Readiness Index 2.0, Potomac Institute for Policy Studies, November 2015, page 4, http://www.belfercenter.org/sites/default/files/files/publication/cyber-readiness-index-2.0-web-2016.pdf.
 Ibid. Also, note that the Cyber Readiness Index identifies “diplomacy and trade” as an element, but this has been renamed to “commerce” in this thesis as it more closely aligns with the responsibilities of state and local governments.
 U.S. Const. art. I, § 8, and U.S. Const. art. VI, § 2.
 U.S. Const. amend. X.